Today we have one of the most experienced information security professional with us who has rich experience in this domain mainly dealing in Threat Management. He is working as vice president for Threat Management Group with Aujas Networks and explaining various key factors and role of threat management in this interview. So let’s have a look on the healthy discussion Hackers Interview Team had with Mr. Jaykishan Nirmal.
Hackers Interview: Hello Mr. Jaykishan, please introduce yourself to our readers.
Jaykishan Nirmal: Hi Readers, I am Jaykishan Nirmal. I head the Threat Management business group at Aujas. I am responsible to build and lead large teams providing application security advisory, network security, verification and transformation programs to manage risk and vulnerabilities. Over the a last decade, I have been privileged to work with clients from multiple industry verticals like banking, finance, telco, insurance, pharma and retail etc., different geographies and helping them secure applications and infrastructure. I always appreciate and enjoy working with some of the best technical minds and fabulous clients.
Hackers Interview: Why you’ve decided to pursue Information Security as your career option?
Jaykishan Nirmal: Well, I think it all started with passion to learn programming languages in 8th grade. Started with C, Visual basic, and later learnt PHP, Java languages. During college days, I used to work as freelancer to build websites and used to spend time in discovering security bugs (“bug bounty” as we know it). Because of my interest in this field, I decided and applied for an internship with a security company as a part of my final year project and got an opportunity to work on building a “security product”. It the first time I was exposed to best practices of how “security” is built while writing code; I then studied OWASP in detail and got to work on system internals and protocols. I really found this exciting and challenging enough to pursue as a career option.
Hackers Interview: How you had started your journey in this domain?
Jaykishan Nirmal: I believe it pretty much started during my college days, and the internship that I did with the security company definitely gave a booster. The adoption of OWASP was at an early stage in India at that point in time, people were talking about it but best practices were not followed while writing software. I volunteered in my first job to help the team write secure code and test them. Fortunately my manager entrusted me with the responsibility and that’s where the actual journey started.
Hackers Interview: Tell us about your experience in this field.
Jaykishan Nirmal: It has been really enriching and exciting journey so far. The amount of learning you have on day to day basis working with like-minded colleagues and clients is what I cherish the most. In the last 10+ years, I was privileged to travel to more than 15 countries, worked with people from different cultures & geographies, collaborated with partners on cutting-edge solutions and helped clients manage risk and vulnerabilities through various means like vulnerability management programs, application security advisory, Devsecops, remediation advisory, digital forensics, trainings, gaming simulations, open source security and IP compliance. I also had an opportunity to evangelize and be part of a team which built a platform (Phishnix) to launch spear phishing campaigns to measure employees’ behaviour and check preparedness against spear phishing attacks.
Hackers Interview: How vulnerability management helps to enhance the security postures of any organisation ?
Jaykishan Nirmal: Vulnerability Management is not a new phenomenon. It’s been there for more than 20-25 years and definitely evolved over period of time. With rapid evolution of technologies, adoption of cloud and IoT, the threat landscape has changed drastically.
Now a days, scanning technologies have matured enough and reporting less number of false positives. Number of vulnerabilities discovered across system, servers and devices spread across geographies are enormous. You can’t really fix them all; even critical or high vulnerabilities for that matter. It needs to be prioritized well to reduce risk efficiently. Let me give you an example – If there are two planes coming from opposite side, one can assume that they would collide and break. However, if we can get an additional information like current speed, their exact coordinates, and height at which they are flying, we can be more certain if they will actually collide or lead to an incident. The same is true for vulnerability management. If one can apply context (role), understand criticality of data (“business-back” approach) and the location of an asset, the prioritization can be done well, risk can be reduced and overall security posture can be improved. There are various ways and means available to achieve it.
Hackers Interview: Do you think most of the organisations have capable team and ready to adopt the new information security standards ?
Jaykishan Nirmal: The answer is Yes and No. Every information security standard will have set of best practices, controls to be implemented to ensure that risk is minimized to the acceptable level and data is safe. Apparently, these are best practices and would definitely overlap with some of the standards and practices already being followed by an organization. Many of the organizations depending upon maturity levels have already put together a dedicated cyber security function. This function focuses on governance, risk and security operations to ensure that they follow best practices prescribed in standards and stay compliant at all times. As the technology advances, so do the ways to exploit them for gains. It’s always challenging to provide specialized training (skills gap) to deal with technology, data and latest in security tools & technologies and also provide opportunities to people which will keep them interested (retain key talent) all the time. Hence, It would be advisable to build specific “competencies” within the cyber security function and the rest can be partnered with organization(s) who have niche capabilities and the right set of skilled resources to address the needs.
Hackers Interview: What are the various Open Source IP Compliance failures you see in the current industry?
Jaykishan Nirmal: It’s always assumed that open source code is free and available for anyone to use. Open source components are associated with licenses; and licenses have associated terms and conditions to use. There are limitations on “usage”, “copying”, “modifications” and “distributions” you need to know before you make use of open source code “freely” in your code. At times, we have observed that SaaS service providers assume that open source components can be used because they are not shipping products to their clients or code is not publicly released; However that’s not entirely true. Such components can be associated with licenses like Affero GPL and has attached terms and conditions to be followed. And last but not the least, open source component is comprising of source code and third party libraries; and source code can be vulnerable to vulnerabilities. So, it does require inspection from security perspective like any of the product or software you build.
Hackers Interview: What are the various career opportunities in Information Security?
Jaykishan Nirmal: With increased penetration of digitization across industries, there is lot to do on cyber security front to ensure that data is safe and handled appropriately. Cyber security is a vast domain, and one can chose and decide to be a generalist or can be a specialist in specific domains. If you are someone who knows network well, you can chose to be a network engineer or be part of the SOC to monitor networks for anomalies, utilize SIEM solutions to analyse logs and conduct root cause analysis for incidents. Further, it can be extended to incident forensics and response role. At an advance level, you can be a threat hunter and proactively look for indicators of compromise to avert big breaches or build expertise for malware and ransomware analysis and help organizations to protect against such infections. If you are good with development, you can chose to become an application security expert and further specialized in application security architecture reviews and help the development team build secure applications. There are plenty of opportunities also available in governance, risk and compliance, identity and access management, IoT security, legal, cloud security and so and so forth. One has to decide based on interest and can work or build ones career in one or multiple of these areas.
Hackers Interview: What are the useful online and offline sources to learn Vulnerability management and Open Source IP Compliance ?
Jaykishan Nirmal: For Open Source IP Compliance, one can start with exploring Fossology (https://www.fossology.org/) . There are numerous resources available for vulnerability management. There are few online communities like Pentester academy, Udemy, Cybrary etc. who offer trainings and courses to get up to speed on the latest stuff in industry.
Hackers Interview: During your career so far, what challenges you see in the industry in regards of cyber security ?
Jaykishan Nirmal: As the technology changes rapidly; so, the opportunities and challenges you get. We are living in an era where internet has become integral part of what you do and that also increases attack surface area. The demand for cyber warriors always outweighs the available talent pool. You would always ave challenges attracting and retaining the right talent who can meet current demands in cyber security. We are not into this alone; that also includes clients we work with or partners with whom
we collaborate. Obviously, then you need to have more creative ways to address these issues. You have to hire people from non-traditional background with relevant experience, collaborate within the industry in order to address threats, have clear roadmap and commitment on training & development and hiring fresh talent from universities and institutes who are offering specialized cyber security courses.